# Initialization

In [102]:
$TenantId = $global:TenantId
# connect once for all necessary scopes for this notebook
$null = Connect-MgGraph -Scopes "Directory.AccessAsUser.All", "Policy.Read.All" -TenantId $TenantId -ErrorAction Stop
# load functions
. "..\src\functions.ps1"

# Privileged administration

## Limit the number of Global Administrators to less than 5

*Severity*: High

*Guid*: 9e6efe9d-f28f-463b-9bff-b5080173e9fe

In [101]:

$DirectoryRoleId = Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Select-Object -ExpandProperty Id

$globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId  $DirectoryRoleId  

$Setting = $globalAdmins
$Compliant = $Setting.Count -lt 5

if($Compliant)
{
    Write-Host "Compliant to control; there are $($Setting.Count) Global Administrators" -ForegroundColor Green
}
else {
    Write-Host "Not compliant to control; there are $($Setting.Count) Global Administrators" -ForegroundColor Red
}

# TODO: get users that are eligble for GA

[92mCompliant to control; there are 2 Global Administrators[0m


# External Identities

## Guest invite settings

*Severity*: High

*Guid*: be64dd7d-f2e8-4bbb-a468-155abc9164e9

External Collaboration Settings: Guest invite settings set to `'Only users assigned to specific admin roles can invite guest users'` or `'No one in the organization can invite guest users including admins (most restrictive)'`

In [93]:
$AuthorizationPolicy = Get-MgPolicyAuthorizationPolicy

$Setting = $AuthorizationPolicy.AllowInvitesFrom
$Compliant = $Setting -in 'adminsAndGuestInviters', 'none'

if($Compliant)
{
    Write-Host "Compliant to control, setting is $($Setting)" -ForegroundColor Green
}
else {
    Write-Host "Not compliant to control, setting is $($Setting)" -ForegroundColor Red
}

[92mCompliant to control, setting is adminsAndGuestInviters[0m


## Guest user access restrictions

*Severity*: High

*Guid*: 459c373e-7ed7-4162-9b37-5a917ecbe48f

External Collaboration Settings: Guest user access set to `'Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)'`

In [94]:
# TODO: does not say anything about guest user access....

$ExternalIdentityPolicy = Get-MgBetaPolicyExternalIdentityPolicy #-ExpandProperty "AdditionalProperties"

# $ExternalIdentityPolicy | fl *
# $ExternalIdentityPolicy.AdditionalProperties | fl *



# User Setting

## User role permissions (Application registration)

*Severity*: High

*Guid*: a2cf2149-d013-4a92-9ce5-74dccbd8ac2a

Users can register applications should be set to `No`.

Users should not be allowed to register applications. Use specific roles such as `Application Developer`.

In [95]:
$AuthorizationPolicy = Get-MgPolicyAuthorizationPolicy -Property "DefaultUserRolePermissions"

$Setting = $AuthorizationPolicy.DefaultUserRolePermissions.AllowedToCreateApps
$Compliant = $Setting -eq $false

if($Compliant)
{
    Write-Host "Compliant to control; users are not allowed to create applications" -ForegroundColor Green
}
else {
    Write-Host "Not compliant to control; users are allowed to create applications" -ForegroundColor Red
}

[91mNot compliant to control; users are allowed to create applications[0m


# Custom Domains

## Verified Domains

*Severity*: High

*Guid*: bade4aad-1e8c-439e-a946-667313c00567

Only validated customer domains are registered

In [96]:
$Domains = Get-MgBetaDomain

$UnverifiedDomains = $Domains | Where-Object {-not $_.IsVerified}

$Setting = $UnverifiedDomains
$Compliant = $Setting.Count -eq 0

if($Compliant)
{
    Write-Host "Compliant to control; All domains are verified" -ForegroundColor Green
}
else {
    Write-Host "Not compliant to control; There are unverified domains registered: $($Setting | Select-Object -ExpandProperty Id)" -ForegroundColor Red
}

[91mNot compliant to control; There are unverified domains registered: notverified.spaelling.xyz[0m
